Wired router as firewall

I know this question has probably been asked many times on this list, but I'm new.

I have an wired Linksys router, several years old. I have always used Zone Alarm with it in spite of their insistence that I don't need a software firewall. However, ZA is starting to cause problems for me and I'd love to get rid of it if I don't really need it. Can anyone give some advice on this?

Thanks, s.

Reply to
Saudades
Loading thread data ...

BTW: this is not a list, but usenet news ;-) And: you could use a usenet archive (for example

formatting link
if you want to search for a topic, which was discussed often already.

Why not configuring your router for filtering? Or, if you need extra filtering in your LAN (perhaps you'll have guests ;-), then why not using the Windows-Firewall?

Yours, VB.

Reply to
Volker Birk

I'll put it to you this way. Has the use of ZA behind that NAT router every done anything in the protection of the machine? I am not talking about some snake-oil it may have in it like Application Control and that kind of snake-oil. But has the supposed FW in a FW capacity in stopping traffic from reaching a machine beyond what the NAT router is doing has it done anything while using it behind the NAT router?

Duane :)

Reply to
Duane Arnold

I have no way of really knowing if it has helped or not. How would I know how things would have been had I not used ZA, given that I always have used ZA? Also--How would I necessarily ever know if I have had visitors?

s.

Reply to
Saudades

ZoneAlarm, when properly configured and uncompromised (I just disqualified most ZA installations) prevents outgoing connections from malware on your PC (which is good) EXCEPT from those programs which are capable of compromising the software directly, which is not especially difficult.

So, it can help for poorly written and/or unsophisticated malware if you don't allow an exception.

You an decide what that's worth to you.

Getting a better firewall appliance that stops outgoing connections would be better.

Getting one that recognizes in-band nefarious traffic (ie, virus payloads sent out over port 25) would be better.

-Russ.

Reply to
Somebody.

BTW: stopping tunneling is not possible by an external filtering device, too. There is just no way to prevent that without losing connectivity.

Yours, VB.

Reply to
Volker Birk

Malware can flat-out beat ZA or any other PFW solution at boot and login since it's not an integrated solution with the O/S that can get to that TCP/IP connection in that condition. The only one that can get their first is the XP FW as the TCP/IP connection has the XP FW as a dependency before it starts. So App Control is 50% worthless in that respect and to me it's

100% worthless.

I see it has snake-oil.

Behind a NAT router as a supplement to it, I would use a packet filter like IPsec to stop outbound if needed and review the router's logs for inbound and outbound traffic with something like Wallwatcher and wouldn't even bother with a PFW solution with its snake-oil and it's ability to mis-configured stopping things from working on the machine..

Agreed

Agreed

Duane :)

Reply to
Duane Arnold

You got a BEF model router and you're not using Wallwatcher which is free and will clearly tell/show you the inbound and outbound traffic to/from the router by remote WAN IP for unsolicted inbound traffic and what LAN IP(s)/machines are sending outbound traffic to remote WAN-Internet IP(s)?

That's what you use to detemine what kind of traffic debious or not that is coming to or leaving machines behind the router.

Duane :)

Reply to
Duane Arnold

You can if the device can recognize encrypted traffic in the data stream via deep packet inspection, and then block such traffic.

When encrypted traffic is legitimately required, the destination in question can be added to a whitelist.

That's more than most small installs are either capable of or willing to maintain, admittedly.

-Russ.

Reply to
Somebody.

It can be done to a good extent through ALGs with the downside of *huge* complexity and inspection load. However, I agree if one wants to prevent it entirely there is in fact no other way than shutting down the link.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

This is the first time that I have read this, which makes sense to me. It has made me re-think my use of of PFW vs. XP FW. Thanks for the post.

Reply to
Anonymous

This will not work, because tunneling needs no encryption.

Yours, VB.

Reply to
Volker Birk

Unfortunately not. Detecting tunneling means knowing the tunneling protocol. Everything else must fail. Detecting an arbitrary encoding in data is not computable.

Yours, VB.

Reply to
Volker Birk

I would supplement the XP FW with IPsec that can stop inbound or outbound by prot, protocol and IP that's on the Win 2K and up NT based O/S(s).

Duane :)

Reply to
Duane Arnold

*maybe*, consider. I've noticed that my firewall (Norton NIS, be kind, I know better too :) becomes active VERY late in the startup sequence (Win/XP). Unlike Linux or Unix systems wherein one can control the sequence of programs to be executed (eg: rc.d), there's quite a delay between DHCP assigning an IP address and the time the firewall becomes active ... in fact, XP even tells you of this fact and carps that 'you may be exposed'.

While not elegant, the following procedure IS EFFECTIVE; unplug the ethernet cable or do not autoconnect to a network during boot. Await the presence of the firewall before you engage the cable and get a DHCP assignment. The firewall log then shows everything logged, even the BOOTP access.

Reply to
Jeff B

Yeah-- Yeah I know don't kill me but put Gator on your machine and then set Norton with its App Control to stop it or set any rules you want by IP to stop Gator from connecting out. You can get Active Ports or anything similar to it that shows connections to remote IP(s) and put a short-cut in the start-up folder. Then you boot and login to the machine and see if Gator is going to be stopped at the boot and login sequence by the PFW solution. I think you'll find that Gator has made several outbound connections and has done its thing before Norton can get there to stop it. I found that to be true with BlackIce and a few other PFW solutions I tested for this.

I even tested this with IPsec on the on Win 2K at the time to see if it could stop Gator but IPsec is not a dependency service to anything else such as the service that makes the TCP/IP connections active on the machine. So, it told me that any malware that can get to the TCP/IP and make a connection before the 3rd party PFW solution could get there to protect the TCP/IP connection before the PFW service could start, it's over. And that's what happened. As long as the machine was not booted and logged into, Gator was controlled.

Duane :)

Reply to
Duane Arnold

Faced with this, I would enable the category filtering option on my firewall, and block unrated web sites. Assuming the IPS system doesn't flag the activity as an attack, which it might based on signature or anomoly detection schemes.

-Russ.

Reply to
Somebody.

Big Smile ... we agree :-0

Reply to
Jeff B

^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^

Please feel free to detect the interrelation between the two underlined terms ;-)

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.